[pycrypto] how to handle known security holes Re: Comments on Elgamal, and a broader question: Whither pycrypto?

Dwayne C. Litzenberger dlitz at dlitz.net
Mon Jan 3 10:54:22 CST 2011


+1

Could someone volunteer to do a quick survey of publicly available code that uses PyCrypto to see who (if anyone) is actually using Crypto.PublicKey.ElGamal?

"Paul Hoffman" <paul.hoffman at gmail.com> wrote:

>On Mon, Jan 3, 2011 at 7:15 AM, Zooko O'Whielacronx <zooko at zooko.com>
>wrote:
>> Folks:
>>
>> We need to decide what to do when we find flaws in PyCrypto which
>> would expose a user who relies on PyCrypto to harm.
>>
>> It wouldn't hurt to send an announcement email in some consistent
>> format saying something like "security advisory" in the subject line,
>> and to update the download page or a NEWS page or whatever to warn
>> about the insecure Elgamal implementation.
>>
>> Perhaps also delete, comment-out, or disable the Elgamal
>> implementation and ship a new release of PyCrypto.
>>
>> It really makes me uncomfortable to see the PyCrypto project ship
>> software to users which claims on the label that they can rely on it
>> when we know that if they do, they may be exposed to harm.
>
>+1 to commenting out or disabling things which anyone has serious
>security concerns over.
>_______________________________________________
>pycrypto mailing list
>pycrypto at lists.dlitz.net
>http://lists.dlitz.net/cgi-bin/mailman/listinfo/pycrypto

-- 
Sent from my Android phone with K-9 Mail. Please excuse my brevity.


More information about the pycrypto mailing list